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We study the problem of disentangling locked processes via code refactoring. We identify and char¬ 
acterise a class of processes that is not lock-free; then we formalise an algorithm that statically detects 
potential locks and propose refactoring procedures that disentangle detected locks. Our development 
is cast within a simple setting of a finite linear CCS variant — although it suffices to illustrate the 
main concepts, we also discuss how our work extends to other language extensions. 

1 Introduction 

The scenario. Concurrent programming is nowadays pervasive to most computational systems and 
present in most software development processes. In particular, concurrent programming is prevalent 
in cloud platforms and web-services, i.e., inherently distributed systems that rely heavily on message- 
based communication protocols. Unfortunately, this style of programming is notoriously difficult and 
error-prone: concurrency bugs appear frequently and have a substantial impact, as several recent reports 
show iTlIll. Concurrency errors are hai'd to detect because not every execution interleaving exhibits 
them, and this is further compounded by the large number of possible execution scenarios. Automatic 
techniques and tools are thus needed to analyse and ensure correct concurrent code. 

One common form of bugs is that of (dead)locks : they arise when a computational entity holds 
exclusive access to a resource without releasing it, while other entities wait to access that resource. In 
this work we characterise them in a very simple model of concurrent computation, show how to statically 
detect them, and in some cases, even show how to automatically solve some of the (dead)locks. 

Static analysis to the rescue. Concurrency theory is a well-established discipline, providing mathe¬ 
matical models of concurrent systems at vaiious degrees of expressiveness, (logical) languages to specify 
properties of such systems, suites of verification techniques of both safety and liveness properties, as well 
as tools to (automatically) analyse if some property holds for a given specification. 

We are interested in models centered around communication primitives and synchronisation mecha¬ 
nisms, as these are the key characteristics of a concurrent system. In particular, we are concerned with the 
static verification of properties for these models, not only because the approach analyses source code, but 
also because it is used pre-deployment, in an automatic way. The models are useful to specify and verify 
communication intensive systems and protocol implementations; the static analysis is a light verification 
technique that demands less from the user, as (s)he does not have to be an expert in logic. 

Concretely, herein we use the Calculus of Communicating Systems (CCS) ifT^ and define a sfafic 
analysis and refacforing algorifhm fhaf is nof only fully aufomafic, buf also working on “pure” source 
code, wifhouf further annofafions or even fypes. 
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Behavioural types. This field of study has gained momentum recently by providing statically more 
than the usual safety properties: (dead)lock-freedom or even progress can be statically established by 
relying on a broad spectrum of analysis techniques |l3l|4l|5l[Tl[8l|9l[ITl[T3l[T4l. Despite their utility, such 
static detection techniques inevitably approximate the solution (conservatively) — since they are “decid¬ 
ing undecidable properties” — and reject lock-free programs (give false positives). More importantly, 
however, these techniques simply reject programs, without providing help as to where the problem might 
be, or providing insights on how to solve the problem detected. 


Methodology. Following the approach of Giunti and Ravara ||9l, in this paper we propose that such 
techniques go a step further, and provide suggestions on how to fix a detected bug, showing possible 
patches. In particular, the work in ||9l focussed on resolving self-holding (dead)locks, i.e., when a thread 
holds the resources it wants to use itself. In order to detect such errors, a local analysis within one thread 
of computation, such as those discussed in 0, sufficed. 

By contrast, in this paper we investigate methods for resolving circular-wait (dead)locks, i.e., more 
general instances where concurrent entities block one another by holding access to a subset of the com¬ 
monly requested resources. Detecting such (dead)locks requires analyses that spread across parallel 
threads of computation, and one of the main challenges is to devise static techniques that are compo¬ 
sitional (thus scalable) wrt. the independent computing entities. For this expository paper, we do not 
consider the full language of 0. Instead we distill minimal features of the language — namely synchro¬ 
nisation, prefixes, and parallel composition — that permit us to focus the core challenges to be addressed. 
However, the ultimate aim of the work is still to address circular-wait (dead)locks in the full language of 
0 ; in the conclusion, we outline some of the additional issues that arise in the full language setting. 


Contributions. §|2]brielly introduces a concise, yet sufficiently expressive, process language to rigor¬ 
ously define (dead)locks. In §[3]we formalise the class of non lock-free processes targeted by our work 
and give an alternative characterisation for this class. We present an algorithm for statically detecting 
processes in this class in §|4l and in §[5]we describe disentangling procedures for the detected processes. 
§ [6] concludes. We note that whereas §[3]presents formal results, §|4]and §[5] deal with ongoing work. In 
particular, they present our general approach by formalising potential algorithms for static analysis and 
resolution, and outlining the properties that these algorithms are expected to satisfy. 


2 Language 

We consider a very basic language. Assume a countable set Names of names, ranged over by a,b,..., 
and a disjoint countable set Names of co-names, such that for every a G NAMES there is a a G Names; 
the co-action operation is idempotent i.e., d = a, and let a, j8 G (Names U Names) denote actions. 

The grammar in Fig.[T]defines the syntax of the language, a process algebra containing only prefixing 
and parallel composition, together with action synchronisations akin to CCS ifT^ . Let ‘^[Q] {resp. (§[Q]) 
be the process obtained by substituting the hole [—] occurring in the context ^ (resp. (o) with Q. 

The semantics is standard, relying on a structural equivalence relation = (the smallest congruence 
including the relation inductively generated by the rules below the grammar) and on a reduction re¬ 
lation —inductively generated by the rules of Fig. [U Let —denote the reflexive and transitive 
closure of 
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P,Q,R G PROC :: = 


(inert) | a.P (prefix) 


PII 2 (composition) 


(f ::=[-] \P\\S’\S’\\P 
‘if ::=[-] |P||^ I ^||P I 


(Evaluation Contexts) 
(Process Contexts) 


sNil P||0 = P 


COM- 


sCoM P||2 = 2||P 


SASS P||(e||P) = (P||G)||P 


Ctx- 


P' 


Str- 


P = P' ^Q' = Q 


a.P\\d.Q —^P||2 P — yQ 

Figure 1: The language (finite CCS): syntax and operational semantics 


Finally, assume henceforth a type system enforcing a linear use of names, F h P, along the lines of 
the work of Kobayashi ifTOl . In well-typed processes, no name appears more than once with a given 
capability (input or output), i.e., a name occurs at most twice in a process, or none at all. The set FProc 
is the subset of Proc induced by the typing system h. 


3 Lock Freedom 

Our point of departure is lock-freedom, as defined and studied by Kobayashi and by Padovani ifTOlfTSl . 
Definition 3.1 (Synchronisation predicates |[T3l l. 

m{a,P) = 3P',P"-P = P' II a.P" out{a,P) = 3P',P"-P = P' || a.P" 

sync{a,P) = in{a,P) and out{a,P) wait{a,P) = in{a,P) exor out{a,P) 

Definition 3.2 (Fock-Free |[T3l l. We define LF={P€ PROC | lfree{P)} where: 

lfree{P) = P — >* Q and wait{a, Q) implies 3P • Q —R and sync{a,R) 

Following Def. 13.21 locked processes, FProc \ LF, are those that never provide the resp. co-action 
for some waiting action. In the setting of §[2l this could be due to either of two cases: (/) the co-action is 
not present in the process; (//) the co-action is present, but stuck underneath a blocked prefix. Whereas 
in the case of (/), the context may unlock (i.e., catalyse ||4l) the process by providing the necessary 
co-action, in the case of (ii) no context can do so without violating the linear discipline of the process. 
Our work targets the unblocking of this second class of locked processes, specifically by refactoring the 
prefixing of the existing process. To this aim, we introduce the notion of a complete process. 

Definition 3.3 (Complete Processes). FProc ^ Cl\/tP= {P | cmp(P)} where: 
cmp{P) = Va- (yCin{a,P) iff cout{a,P)) and 

cin{a,P) = 3‘f[—],Q-P = ‘if[Q]andin{a,Q) cout{a,P) = P = '^[Q] and out{a,Q) 
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Remark 3.4. In contrast to in{a,P) and out[a,P) ofDef IT71 the predicates cin{a,P) and cout{a,P) of 
Def \3.3\ consider actions under contexts as well. 

Example 3.5. The process P = a.b.O || ^.c.O is not complete since, e.g., cin{a,P) but not cout{a,P). The 
process is also locked, but can be unlocked by the catalyser [—] || d.c.O without violating channel linearity 
i.e., [P]||d.c.O — 0. The inert process, 0 is clearly lock-free and complete. 

P] = a.Zj.O II 5.C.0 II c.d.O P 2 = d.{a.b.ti\\b.c.ti) || d.c.d.O 

P 3 = a.d.O P 4 = a.(b.d.tS \\b.Q) 

By contrast, processes Pi,P 2 ,P 3 and P 4 (above) are both complete but not lock-free. Note that we rule 
out complete processes such as a.d.a.O since they violate linearity and are thus not typeable (see §|2l). ■ 

Our work targets the process class CMP \ LF. In what follows we provide a characterisation for this 
class that is easier to work with. 

Definition 3.6 (Deadlock). dlock{P) = (■ P —^ Q'j and P ^0 
Definition 3.7 (Top-Complete). 

tcmp{P) = (in(a,P) implies cout(a,P)) and {out(a,P) implies cin(a,P)) 

Definition 3.8 (Potentially Self-Locking). PSL = {P G CMP \ ps/(P)} where: 

s/(P) = dlock{P) and tcmp{P) 
ps/(P) 3<?[-],Q ■ (P m] and s/(e)) 

A self-deadlocked processes, sl(P), denotes a deadlocked process that cannot be unlocked by a con¬ 
text without violating the linearity discipline, since the resp. actions are already present in the process, 
i.e., tcmp(P). This, together with dlock(P), also guarantees that these resp. actions will never be re¬ 
leased. A potentially self-locking process, psl(P), contains an execution that leads to a top-level sub¬ 
process, i.e., Q in that is self-deadlocked, si(2): temp(2) then guarantees Q cannot interact with 
any of the future reductions of ^[—]■ 

Example 3.9. Recall the processes in Ex. 13.51 Process Pi is self-locking, s/(Pi), and thus potentially 
self-locking as well, ps/(Pi). Although P 2 is not self-locking, -^sl{P 2 ) — it is not deadlocked and can 
reduce by interacting on name d — it is potentially self-locking, ps/(P 2 ), since P 2 —Pi. 

Both P 3 and P 4 are self-locking as well, but constitute instances of the self-holding deadlocked pro¬ 
cesses studied in S: in both cases, the locked resource (port a) is blocked by the co-action under the 
prefix of the same process. Such locks may be detected by a local analysis of the process prefixed by 
the blocked action. By contrast, in order to determine ps/(Pi) and ps/(P 2 ), the analysis needs to spread 
across parallel processes. ■ 

The main result of the section is that PSL characterises CMP \ LF. 

Theorem 3.10. PSL = CMP\ LF 

Proof. See § El 


□ 
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Environment Operations 


ri+r2 = r3 a;^dom(r2) 

r+0 = r (ri,a:p)+r2 = r3,a:p 

Layered Environments and Verdicts, and Operations 


_ Li +r 2 = r3 _ 

ri,a:p + r2,a:p = r3,a:p + p 


A € LayeredEnv ::= £ | r;A 


0 € Verdict ::= A | / 


_ _ Ai + A 2 = A 3 _ 

A + £ = A ri;Ai+r2;A2 = (El+r2);A3 


_ |A|=r 

£|=0 |r;A|=r+r 


r::,^ 


def 



if (/) = / or ((/) = A and dlock(r) and F C |A|) 
otherwise 




/ 

/ 

/ 

< 

Ai © A 2 


^ (/>! + (/»2 


if = / or (/»2 = / 

if 01 = ri;Ai ,02 = r 2 ;A 2 ,dlock(ri+r 2 ) and ri+r 2 c IA 1 +A 2 I 
if 01 = ri;Ai ,02 = r 2 ;A 2 and cmp(ri +r 2 ) 
otherwise (since 0 i = Ai, 02 = A 2 ) 


Compositional Static Analysis Rules 


dNil 


Ot>0 


DiN 


Pl>0 

a.P'>{a ij,::0) 


dOut 


Pl>0 

d.P\>[a :t"0) 


Pi t> 01 P 2 02 

dPar--- 

Pi II P 2 01 © 02 


Figure 2: Static Analysis for Potential Self-Deadlock 


4 Static Detection for Potentially Self-Locking Processes 

We devise an algorithm for detecting potentially self-locking processes. To be scalable, the algorithm is 
compositional. The intuition behind is that of constructing layers of permission environments Fi;...; r„, 
approximating the prefixing found in the process being analysed, and then checking whether this struc¬ 
ture satisfies fhe fwo condifions defining self-deadlock (see sl(—) in Def. 13.81) . namely fhaf fhe lop envi- 
ronmenl F 1 represenls a deadlock and lhal fhe layered sfruclure is, in some sense, top-complete. 

Example 4.1. We determine that the process Pi from Ex. \3.5\ is (potentially) self-locking by constructing 
the list of layered environments 


[a 

'-V- 

El 


:i) ; (a :f,b :|,c :t) ; £ 

-' '-V-' 

r 2 


and checking that 

• the top environment F 1 does not contain any matching permissions, i.e., codiT 1 ) — this implies 

that the (composite) process is deadlocked; 

• that all the resp. dual permissions are inT 2 — this implies that the (composite) process is blocking 
itself and cannot be unblocked by an external process composed in parallel with it. 
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The main challenge of our compositional analysis is to detect eventual self-deadlocks in cases when the 
constituent are dispersed across a number of parallel processes. In the case of P 2 of Ex. |j.5l we need 
to analyse the parallel (sub) processes d.{a.b.ti ||^.c.O) and d.c.d.ti in isolation, and then determine the 
eventual deadlock once we merge the sub-analyses; recall, from Ex. \3.9\ that P 2 reduces to Pi from the 
respective continuations prefixed by d and d. ■ 

Formally, permissions, p,jU £ denote resp. input, output and input-output capabilities. The 

merge, p + p, and complement, p, (partial) operations are defined as: 

i+t=t T=t t=i r=^ 


Environments, F, are partial maps from names to permissions. We assume the following overloaded no¬ 
tation: complementation, F, inverts the respective permissions in cod(r) whereas deadlock and complete 
predicates are defined as: 

dlock(r) = cod(r) = {4,t} cmp(r) =cod(r) = 

The rules in Fig. |2] define the merge operation over environments, Fi -|-r 2 (we elide symmetric rules). 
Layered environments. A, are lists of environments. Our static analysis sequents take the form Px/) 
where 0 is a verdict, it can either be a layered environment or /, denoting a detection. Layered environ¬ 
ments may be merged, Ai -|-A 2 , or flattened into a single environment, |A|; see Lig.|2l 

The static analysis rules are given in Lig. |2l and rely on two verdict operations. Prefixing, F:: 0, 
collapses to the definite verdict / if (/) was definite or else F is deadlocked, dlock(r), and top-complete, 
F C |A|, but creates an extended layered environment otherwise. Verdict merging, 0 ^ 2 > collapses 
to / if either subverdict is a definite detection, or the combined top environments, Fi 0 r 2 , satisfy 
environment deadlock and top-completeness; if Fi 0 r 2 is complete, then it is safe to discard it and 
check for self-deadlock in the sub-layers (see Rem. 14.31) otherwise the verdicts (which must both be 
layered environments) are merged. 

Example 4.2. Recall process P 2 from Ex. I4.il We can derive the sequents: 

d.{a.b.tS\\b.c.(f) > ( 4 :i); (a :t); ((? :i,c :),); e (1) 

r/.c.a.O i> (d :t); (c :),); {a :t); £ (2) 

Eor instance, in the case of O, we first derive the judgements a.b.O a :f,b :4-;£ and b.c.O \> b'.j\c 
using rules dNil, dIn and dOut. Applying dPar on these two judgements requires us to calculate 

(a :|;i7:4,;£)©(i7 :t;c :t;£) = (a-.j^b+ {b ■.t,c ■.f\£) = (a :t); :i,c :|);£ 

using the definition of^i © ^from Eig. |2] We thus obtain ([T]) by applying DiN on the resultant judgement. 

Importantly, when we use rule dPar again, this time to merge judgements o and (ID), the definition 
of (/>! © (/>2 allows us to reexamine the environments in the sub-layers, since the merged top-layer is com¬ 
plete, cmp(d :j-\-d :t), from which we infer that the top actions guarding the merged parallel processes 
will safely interact and release the processes in the sub-layers. Stated otherwise, we obtain: 


[d-.ffia :].,b :f)-,{b :l,c :l)-,£) ® [d :f,c :f,a :f,£) = [{a :l,b :f)-,{b :i,c :l.)-,£) ® [c :i-,a :f,e) = / 
since dlock{{a :l,b :t) + (c :|)) and a :l,b :t,c C | ((i? :|,c :4);£) + (a :t;£) | = {b :4-,c :t)- ■ 
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roc ,0 = 0 

„ _pdet/a.O||P r(a)=t 

1 oci a.P = < 


1 a. (r oc 1P) otherwise 
roc20 = o 

rfl.o||(roc2P) r(a)=t 

roc 2 a.p= (roc 2 P) r(a)=i 

a . (r oc 2 P) otherwise 


r-iP||(2 = (rociP)||(roci(2) 


la.(Foci P) otherwise 
roc2P||(2 = (roc2P)||(roc2e) 


defJa.0||P r(a) =4, 
i oc^a.r = < 



M I a.(roc 2 P) ||a.O r(a) =1 
[a.(roc 2 P) otherwise 


Figure 3: Disentangling for Potential Self-Deadlock 


Remark 4.3. When merging verdicts, it is unsafe to ignore individual complete mappings, e.g., a 
even though this makes the analysis imprecise. It is only safe to ignore them (and check for potential 
deadlocks in lower layers) when the entire top environment is complete, i.e., cmp(T). a counter¬ 
example justifying this, consider the lock-free process {a.b.d || b.O) || d.O. We currently deduce 

{a.b.O\\b.O) :> {a:\,,b:l.)',b:f',e and d.O > a:f\e where a\]^,b\\.-\-a-.j = a-.\.,b'.'\<^b-.'[ 

However, eliding a'.f from the analysis, i.e., assuming that {a:].,b:\.) -\- a'.j' = b:"[, yields an unsound 
detection. Precisely, when merging the sub-verdicts for rule dPar, ((a '.\^,b '.\.)\b :t;£) © (a :t;£). 
we would first obtain dlock{{a'.f)-\-a'.f) and moreover that {a\\.,b'.\)-\-a'.^ = b'.f is a subset of 
I (Zj I'l'; £) + £ I =b\f, which yields /according to Fig. |2] ■ 

We expect the judgement P> / to imply psl(P), which would in turn imply -ilfree(P) by Thm. 13.101 We 
leave the proof of the first implication for future work. 

5 Disentangling Potentially Self-Locking Processes 

To illustrate the ultimate aim of our study, we outline possible disentangling functions that refactor a 
potentially self-deadlocked process into a corresponding lock-free process. These disentangling func¬ 
tions are meant to be used in conjunction with the detection algorithm of § |4] as a static analysis tool 
for automating the disentangling of processes. There are a number of requirements that a disentangling 
algorithm should satisfy. For instance, it should not violate any safety property that is already satisfied by 
fhe enfangled process {e.g., if an enfangled process P fype-checked according fo some typing discipline, 
i.e., F h P , the resulting disentangled processes, say Q, should still typecheck wrt. the same type disci¬ 
pline/environment, i.e., F h Q). Additionally, one would also expect the resultant disentangled process 
to be lock-free, as expressed in Def. 13.21 or at the very least to resolve a subset of the locks detected. 
But there are also a number of additional possibilities for what constitutes a valid process disentangling. 
Within the simple language of § |2j we can already identify at least two (potentially conflicting) criteria: 

1 . the order of name usage respects that dictated by the innermost prefixing of the entangled process. 
Stated otherwise, any locks are assumed to be caused by prefixing af fhe fop-level of the process. 

2 . the order of input prefixes in fhe enfangled process should be preserved. 
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We envisage a straightforward extension to the system Pt>^ of § |4j with extended detection reports, 
(/,r). The tuple (/,r), in some sense, explains the source of the problem detected by including the 
offending top-layer environment of a self-deadlock, F; this information is then used by the disentangling 
procedure to refactor the detected process. 

Fig. [3] defines two disentangling functions that take this (top-layer) environment and the resp. de¬ 
tected process as input, and return a refactored process as output. The first function, F oc j P, translates 
problematic prefixing (as dictated by F) into parallel compositions. The second function F 0 C 2 F operates 
asymmetrically on input and output prefixes: whereas problematic outputs are treated as before, blocked 
inputs are not parallelised; instead the resp. output is pulled out at input level. 

Example 5.1. The algorithm of^^could detect P^ (below) as P^t> (/, (a :4,,c :"()), where F = (a :4.,c :"() 

P5 = a.b.c.tS II c.b.d.tS 

Using the offending top-layer environment F, we can apply the two disentangling algorithms of Fig. |3] 
and obtain the following: 

FociP 5 = (a.OII b.c.O) II (c.O|| b.d.O) (3) 

r°c2F5 = (d.O II a.b.c.O) || (c.O || b.d) (4) 

While both refactored processes are lock-free, it turns out that the first disentangling function observes 
the first criteria: in the refactored process, interactions on a and c happen after interactions on b, 
since these names are (both) prefixed by b (and b) at the innermost level of P 5 . Conversely, the second 
disentangling function observes the second criteria discussed above: in the refactored process, the 
input prefixing that orders a before c in P 5 is preserved (this was not the case in @ ). Note that both 
refactorings preserve channel linearity (a safety criteria) while returning lock-free processes. ■ 

6 Conclusion 

We have outlined our strategy for automating correct disentangling of locked processes, generalising pre¬ 
liminary results previously presented Q. Although we limited our discussion to a very simple language 
— the variant of the finite CCS without recursion, choice or name scoping — this was expressive enough 
to focus on the usefulness of the concepts and techniques we propose, i.e., resolving circular locks 
across parallel compositions. We define precisely the class of (dead)locked processes within this setting, 
and provide a faithful characterisation of them in terms of a novel notion: potentially self-locking pro- 
cesses.We also devised a compositional algorithm to statically detect these processes and unlock them, 
improving previous results (cf. @). In particular, Giunti and Ravara Q used a different technique (based 
on balanced session types) and could only disentangle self-holding deadlocks such as those in processes 
P 3 and /Ir of Ex. 13.51 The technique does not support reasoning about (and disentangle) locks across 
parallel compositions, such as those shown for processes Pi and P 2 of Ex. l3.5l and P^ of Ex. 15. II 

We expect the concepts and techniques developed to carry over to more expressive languages. We 
are considering language extensions such as process recursion, unrestricted channel names (to allow non¬ 
determinism), and value-passing. Eor instance, disentangling the value-passing program (an extension 
of the process P 5 in Ex. 15.II) Pt, = a{x).b{x-\- l).c(y).0 || c(5).Zr(z).d(7).0 may not be possible for certain 
disentangling functions (and criteria) e.g., Foc] P, whereas others may require auxiliary machinery, e.g., 
the flndVal(—) function used by Q for pulling out the resp. output values in F 0 C 2 F’; in (complete) linear 
settings, there is a unique output for any particular channel, which can be obtained through a linear scan 
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of the process. The input binding structure may also make certain processes impossible to disentangle. 
E.g., consider a modification in P(, above where the value 7 is changed to the bound value z. This would 
create a circular binding dependency: one between the input on channel a and the output on b through 
variable but also another one between the input on b and the output on a through variable z. These 
issues will all be considered in future work. 
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A Proofs 

This section is devoted to the proof of Theorem 13.101 We start with some auxiliary definitions and 
lemmas. 

Given a process P of Figure [TJ we indicate with NAMES (P) the subset of NAMES induced by the rule 
Names (a.P) = {a} U Names (P): the remaining cases are homomorphic. We use U for disjoint union 
of sets. 

We remember that we assume that the processes P of our interest are linear, that is they never contain 
two or more inputs or outputs on the same channel, and deploy the following results. 

Lemma A.l. IfP —> P' then there is port, a, such that NAMES (P') U {a} = NAMES (P) and sync{a,P). 

Proof. By induction on the rules of Figure 1; straightforward. □ 

Corollary A.2. IfP —)■* Q then the following holds: 

1. Names (2) c Names (P) 

2. r/NAMES(P)\NAMES(2) = {u, ■■■} then there exists a Pa and a P^ such that P —)•* Pa — P'a Q 
with Names(P^) U {a} = Names (P^) and sync{a,Pa). 

Lemma A.3. If cin{a,P) (cout(a,P)) and P —)■* Q then exactly one of the following cases holds: 

1. cin{a,Q) (cout{a,Q)) 

2. a ^ Names (Q) and there exists an Ra and an R'^ such that P Ra —> R'a Q and NAMES [R'f] U 

{a} = Names (Pa) and sync{a,Ra). 

Proof We have two cases corresponding to (i) a G NAMES (2) or (ii) a 0 NAMES (2)- In case (i), assume 
P —)■ Pi — >1 • • • 2n —^ 2- We proceed by induction on n. From Lemma IATT] we know that there exists 
b such that Names (Pi) U {b} = Names (P) and sync(Z>,P). Since Names (2) C Names (Pi), we infer 
a G Names(Pi) and in turn af^b. From this and cin(a,P) we deduce that cin(a,P'). Now assume that 
cin(a,2n)- From Lemma 1 we deduce Names (2) U {c} = Names(2«) for some c / a: thus dn(a, Q). 
The case cout(a,P) is analogous. Case (ii) is a direct consequence of Corollary IA.2I 

□ 


Lemma A.4. IfP G CMP and P —>■* Q then Q G CMP. 

Lemma A.5. For any P there exists Q such that P Q and Q 

Proof of Theorem 13.101 To show the right to the left direction, assume P G CM P \ LF. By definition: 

CMP \LP = {P G CMP I 3{Q,a) . P —)►* Q A wait(a,2) ^ VP . 2 —^ ^ -'Sync(a,P)} 

Let 2a be a distinctive redex of P: thus in(a,2a) exor out(a,2a)- Assume in(a,2a) and consider 
Pstop such that 2a Pstop which does exists by Lemma IA.5I By Lemma IA.3I we know that 
in(a,Pstop): from -isync(a,Pstop) we infer -iout(a,Pstop)- From Lemma lAAl we infer Pstop G CMP: thus 
cout(a,Pstop)- Therefore dlock(Pstop) and tcmp(Pstop), as required. The case out(a,2a) is analogous. 

To see the left to the right direction, assume that P G CMP and that P — >* iF[Q] with dlock(2) and 
tcmp(2). Note that this excludes the case 2 = 0: therefore NAMES (2) 7 ^ 0, and in turn NAMES (P) 0, 

because of Corollary lA.21 From NAMES (2) 7 ^ 0 and the rules of structural congruence we infer that there 
is a G Names( 2) such that (i) Q = a.Q' || Q" or (ii) Q = d.Q! || Q”. In case (i) we infer in(a, Q)\ from 
2 A we deduce -iout(a, 2 ); in case (ii) we infer out(a, 2 ) ; from 2 7 ^ we deduce -iin(a, 2 )- In both 
cases we infer wait(a,2)! and in turn -isync(a,2) which completes the proof since Q has no redexes: 
that is, P G CMP \LP. □ 


















